Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Trojan.Vundo according to Norton AntiVirus [RESOLVED]

BChawls

Posted 24 October 2005 - 06:26 PM

BChawls

Member

Member

10 posts

I have done everything that you suggested and have found many problems, but this main one still remains. I think that the problem is with the following files in system32: ddaya.dll, ddayv.dll, pmkhi.dll, and pmnll.dll. These are all locked so they can't be deleted. From what I can see, they are being locked by winlogon.exe and explorer.exe. If you need any more information from me, please let me know.

BChawls

Posted 28 October 2005 - 12:52 AM

BChawls

Member

Topic Starter

Member

10 posts

I have downloaded the LSPFix and ran it, and there was one instance of newdotnet6_90dll. However, it was already in the Remove box. In the Keep box, there were the following: mswsock.dll, winrnr.dll, nwprovau.dll, and rsvpsp.dll. It did say that 1 entry was removed, so I would seem that I did something. Here is the new HijackThis log below:

After the files are extracted, please reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.
Once in safe mode please go to Start > Settings > Control Panel > Add/Remove programs

Please uninstall the following programs:

Accoona
QuickBar

Please delete the following folders:

C:\Program Files\QuickBar
C:\Program Files\Accoona

Now open the VundoFix folder and doubleclick on KillVundo.bat

You will first be presented with a warning.
It should look like this

VundoFix V2.15 by Atri
By using VundoFix you agree that you are doing so at your own risk
Press enter to continue....

At this point press enter one time.

Next you will see:

Please Type in the filepath as instructed by the forum staff
and then press enter:

At this point please type the following file path (make sure to enter it exactly as below!):

C:\WINDOWS\system32\ddaya.dll

Press Enter to continue with the fix.

Next you will see:

Please type in the second filepath as instructed by the forum
staff then press enter:

At this point please type the following file path (make sure to enter it exactly as below!):C:\WINDOWS\system32\ayadd.*

Press Enter to continue with the fix.

The fix will run then HijackThis will open, if it does not open automatically please open it manually.

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).Set the program up as follows:Click "Options..."Move the arrow down to "Custom CleanUp!"Put a check next to the following (Make sure nothing else is checked!):

After the files are extracted, please reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.

2) Once in Safe Mode, please run Killbox.

3) Select "Delete on Reboot".

4) Open the text file with these instructions in it, and copy the file names below to the clipboard by highlighting them and pressing Control-C:

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click here to download and run missingfilesetup.exe. Then try TheKillbox again..

Don't reboot yet.

Open the VundoFix folder and doubleclick on KillVundo.bat

You will first be presented with a warning.
It should look like this

VundoFix V2.15 by Atri
By using VundoFix you agree that you are doing so at your own risk
Press enter to continue....

At this point press enter one time.

Next you will see:

Please Type in the filepath as instructed by the forum staff
and then press enter:

At this point please type the following file path (make sure to enter it exactly as below!):

C:\WINDOWS\system32\ddayv.dll

Press Enter to continue with the fix.

Next you will see:

Please type in the second filepath as instructed by the forum
staff then press enter:

At this point please type the following file path (make sure to enter it exactly as below!):C:\WINDOWS\system32\vyadd.*

Press Enter to continue with the fix.

The fix will run then HijackThis will open, if it does not open automatically please open it manually.

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).Set the program up as follows:Click "Options..."Move the arrow down to "Custom CleanUp!"Put a check next to the following (Make sure nothing else is checked!):

Empty Recycle Bins

Delete Cookies

Delete Prefetch files

Cleanup! All Users

Click OKPress the CleanUp! button to start the program.

It may ask you to reboot at the end, click NO.

Copy a new HiJackThis log and the vundofix.txt file from the vundofix folder into this topic.

BChawls

Posted 28 October 2005 - 10:46 PM

BChawls

Member

Topic Starter

Member

10 posts

Okay, that must have helped with something because the computer is now running a little faster than before. However, it seems like some of those files I "fixed" with HijackThis showed up again when I ran it again. Also, when I ran the Killbox, I clicked "No" at the Delete on Reboot prompt, but did not see a Pending Operations prompt. Everything else went smoothly. I just thought I'd mention this in case it was important. My new logs are below...